From 5ea1c1b91ec31461fa26d4104b7113fc326cdbcb Mon Sep 17 00:00:00 2001
From: Rob Mensching <rob@firegiant.com>
Date: Wed, 1 Jun 2022 13:42:18 -0700
Subject: Remote payloads using certificate verification cannot use hash

Fixes 6745
---
 src/ext/NetFx/wixlib/NetCore3.1.12_x64.wxs         |  12 +-
 src/ext/NetFx/wixlib/NetCore3.1.12_x86.wxs         |  12 +-
 src/ext/NetFx/wixlib/NetFx462.wxs                  |   8 +-
 src/ext/NetFx/wixlib/NetFx472.wxs                  |   8 +-
 src/ext/NetFx/wixlib/NetFx48.wxs                   |   8 +-
 .../WixToolset.Core.Burn/Bind/BindBundleCommand.cs |   4 +-
 .../Bundles/CacheIdGenerator.cs                    |  45 ++++++
 .../Bundles/ProcessExePackageCommand.cs            |  11 +-
 .../Bundles/ProcessMsuPackageCommand.cs            |  10 +-
 .../CommandLine/RemotePayloadSubcommand.cs         |  98 +++++++++----
 src/wix/WixToolset.Core/Compile/CompilerPayload.cs |  30 ++--
 .../ExePackageFixture.cs                           |  27 ++++
 .../MsuPackageFixture.cs                           |  56 ++++++++
 .../PackagePayloadFixture.cs                       |   3 +-
 .../RemotePayloadFixture.cs                        | 159 ++++++++++++++++++---
 .../TestData/.Data/fakeba.dll                      |   1 +
 .../UseCertificateVerificationWithoutCacheId.wxs   |  13 ++
 .../BundleUsingCertificateVerification.wxs         |  13 ++
 ...eUsingCertificateVerificationWithoutCacheId.wxs |  13 ++
 .../TestData/MsuPackage/data/fakeba.dll            |   1 -
 .../PackagePayload/SpecifiedCertificate.wxs        |   2 +-
 ...cifiedCertificatePublicKeyWithoutThumbprint.wxs |   2 +-
 22 files changed, 440 insertions(+), 96 deletions(-)
 create mode 100644 src/wix/WixToolset.Core.Burn/Bundles/CacheIdGenerator.cs
 create mode 100644 src/wix/test/WixToolsetTest.CoreIntegration/TestData/.Data/fakeba.dll
 create mode 100644 src/wix/test/WixToolsetTest.CoreIntegration/TestData/ExePackage/UseCertificateVerificationWithoutCacheId.wxs
 create mode 100644 src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/BundleUsingCertificateVerification.wxs
 create mode 100644 src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/BundleUsingCertificateVerificationWithoutCacheId.wxs
 delete mode 100644 src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/data/fakeba.dll

(limited to 'src')

diff --git a/src/ext/NetFx/wixlib/NetCore3.1.12_x64.wxs b/src/ext/NetFx/wixlib/NetCore3.1.12_x64.wxs
index b69bb37f..3a1f5910 100644
--- a/src/ext/NetFx/wixlib/NetCore3.1.12_x64.wxs
+++ b/src/ext/NetFx/wixlib/NetCore3.1.12_x64.wxs
@@ -20,8 +20,8 @@
         <WixVariable Id="AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)RepairArguments" Value="" Overridable="yes" />
 
         <PackageGroup Id="$(var.AspNetCoreRedistId)">
-            <ExePackage InstallArguments="$(var.AspNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.AspNetCoreRedistId)" Vital="yes" Permanent="yes" Bundle="yes" LogPathVariable="$(var.AspNetCoreRedistLog)" Cache="remove">
-                <ExePackagePayload Name="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)aspnetcore-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.AspNetCoreRedistLink)" ProductName="Microsoft ASP.NET Core 3.1.12 - Shared Framework" Description="Microsoft ASP.NET Core 3.1.12 - Shared Framework" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Hash="5CE9839CAE90FB2936033431F2905E97C7DC080DC50108D58714939CCCC6A265694B8259A3BF742A68BF04D9CFFB0602B0306DD401C4CE644BDB96C7D1168E59" Size="7841808" Version="3.1.12.21070" />
+            <ExePackage CacheId="$(var.AspNetCoreRedistId)_2485A7AFA98E178CB8F30C9838346B514AEA4769" InstallArguments="$(var.AspNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.AspNetCoreRedistId)" Vital="yes" Permanent="yes" Bundle="yes" LogPathVariable="$(var.AspNetCoreRedistLog)" Cache="remove">
+                <ExePackagePayload Name="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)aspnetcore-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.AspNetCoreRedistLink)" ProductName="Microsoft ASP.NET Core 3.1.12 - Shared Framework" Description="Microsoft ASP.NET Core 3.1.12 - Shared Framework" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Size="7841808" Version="3.1.12.21070" />
             </ExePackage>
         </PackageGroup>
     </Fragment>
@@ -35,8 +35,8 @@
         <WixVariable Id="DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)RepairArguments" Value="" Overridable="yes" />
 
         <PackageGroup Id="$(var.DesktopNetCoreRedistId)">
-            <ExePackage InstallArguments="$(var.DesktopNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.DesktopNetCoreRedistId)" Vital="yes" Permanent="yes" Bundle="yes" LogPathVariable="$(var.DesktopNetCoreRedistLog)" Cache="remove">
-                <ExePackagePayload Name="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)windowsdesktop-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.DesktopNetCoreRedistLink)" ProductName="Microsoft Windows Desktop Runtime - 3.1.12 (x64)" Description="Microsoft Windows Desktop Runtime - 3.1.12 (x64)" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Hash="CD69B8722B2FF175FADD6774AB6A97F89292FC57A15CEC95218E79FFF1E26F46A7EFFFB15CE0F6D22B83B991F7083BB5C04F5158F87D298EA0F204933F8ECD27" Size="54284816" Version="3.1.12.29719" />
+            <ExePackage CacheId="$(var.DesktopNetCoreRedistId)_2485A7AFA98E178CB8F30C9838346B514AEA4769" InstallArguments="$(var.DesktopNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.DesktopNetCoreRedistId)" Vital="yes" Permanent="yes" Bundle="yes" LogPathVariable="$(var.DesktopNetCoreRedistLog)" Cache="remove">
+                <ExePackagePayload Name="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)windowsdesktop-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.DesktopNetCoreRedistLink)" ProductName="Microsoft Windows Desktop Runtime - 3.1.12 (x64)" Description="Microsoft Windows Desktop Runtime - 3.1.12 (x64)" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Size="54284816" Version="3.1.12.29719" />
             </ExePackage>
         </PackageGroup>
     </Fragment>
@@ -50,8 +50,8 @@
         <WixVariable Id="DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)RepairArguments" Value="" Overridable="yes" />
 
         <PackageGroup Id="$(var.DotNetCoreRedistId)">
-            <ExePackage InstallArguments="$(var.DotNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.DotNetCoreRedistId)" Vital="yes" Permanent="yes" Protocol="burn" LogPathVariable="$(var.DotNetCoreRedistLog)" Cache="remove">
-                <ExePackagePayload Name="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)dotnet-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.DotNetCoreRedistLink)" ProductName="Microsoft .NET Core Runtime - 3.1.12 (x64)" Description="Microsoft .NET Core Runtime - 3.1.12 (x64)" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Hash="9B3F882AE5DFDC8B50D3CEC4F3292292D658B2FECB84B3F73426FB3C16E6FC6B8E7118EF559CFAE25ED7A2C175FA4D89E18986CA3C05D15F706524FBB667F702" Size="26090616" Version="3.1.12.29719" />
+            <ExePackage CacheId="$(var.DotNetCoreRedistId)_2485A7AFA98E178CB8F30C9838346B514AEA4769" InstallArguments="$(var.DotNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.DotNetCoreRedistId)" Vital="yes" Permanent="yes" Protocol="burn" LogPathVariable="$(var.DotNetCoreRedistLog)" Cache="remove">
+                <ExePackagePayload Name="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)dotnet-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.DotNetCoreRedistLink)" ProductName="Microsoft .NET Core Runtime - 3.1.12 (x64)" Description="Microsoft .NET Core Runtime - 3.1.12 (x64)" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Size="26090616" Version="3.1.12.29719" />
             </ExePackage>
         </PackageGroup>
     </Fragment>
diff --git a/src/ext/NetFx/wixlib/NetCore3.1.12_x86.wxs b/src/ext/NetFx/wixlib/NetCore3.1.12_x86.wxs
index cf88b32c..e3a70daf 100644
--- a/src/ext/NetFx/wixlib/NetCore3.1.12_x86.wxs
+++ b/src/ext/NetFx/wixlib/NetCore3.1.12_x86.wxs
@@ -20,8 +20,8 @@
         <WixVariable Id="AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)RepairArguments" Value="" Overridable="yes" />
 
         <PackageGroup Id="$(var.AspNetCoreRedistId)">
-            <ExePackage InstallArguments="$(var.AspNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.AspNetCoreRedistId)" Vital="yes" Permanent="yes" Protocol="burn" LogPathVariable="$(var.AspNetCoreRedistLog)" Cache="remove">
-                <ExePackagePayload Name="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)aspnetcore-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.AspNetCoreRedistLink)" ProductName="Microsoft ASP.NET Core 3.1.12 - Shared Framework" Description="Microsoft ASP.NET Core 3.1.12 - Shared Framework" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Hash="03EE5F6D3B2AF8FFE2A5154BB05E50938E2D36E98D996D9E67A3C349DD0C8B3051D5A9628F48C51E006CEA0B1F4484B4BE51920FE5CA841060B0D2C6A12FD5D2" Size="7167176" Version="3.1.12.21070" />
+            <ExePackage CacheId="$(var.AspNetCoreRedistId)_2485A7AFA98E178CB8F30C9838346B514AEA4769" InstallArguments="$(var.AspNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.AspNetCoreRedistId)" Vital="yes" Permanent="yes" Protocol="burn" LogPathVariable="$(var.AspNetCoreRedistLog)" Cache="remove">
+                <ExePackagePayload Name="!(wix.AspNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)aspnetcore-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.AspNetCoreRedistLink)" ProductName="Microsoft ASP.NET Core 3.1.12 - Shared Framework" Description="Microsoft ASP.NET Core 3.1.12 - Shared Framework" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Size="7167176" Version="3.1.12.21070" />
             </ExePackage>
         </PackageGroup>
     </Fragment>
@@ -35,8 +35,8 @@
         <WixVariable Id="DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)RepairArguments" Value="" Overridable="yes" />
 
         <PackageGroup Id="$(var.DesktopNetCoreRedistId)">
-            <ExePackage InstallArguments="$(var.DesktopNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.DesktopNetCoreRedistId)" Vital="yes" Permanent="yes" Protocol="burn" LogPathVariable="$(var.DesktopNetCoreRedistLog)" Cache="remove">
-                <ExePackagePayload Name="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)windowsdesktop-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.DesktopNetCoreRedistLink)" ProductName="Microsoft Windows Desktop Runtime - 3.1.12 (x86)" Description="Microsoft Windows Desktop Runtime - 3.1.12 (x86)" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Hash="C211A7F29D9B6FEEFCF0379B153FFBFB815157D3D494CFD7D0D84D619701EEA284BF12502094BCFF2BB2968213190454E7CE0E865FD623E78C2FCDAEBEF963DA" Size="48590696" Version="3.1.12.29719" />
+            <ExePackage CacheId="$(var.DesktopNetCoreRedistId)_2485A7AFA98E178CB8F30C9838346B514AEA4769" InstallArguments="$(var.DesktopNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.DesktopNetCoreRedistId)" Vital="yes" Permanent="yes" Protocol="burn" LogPathVariable="$(var.DesktopNetCoreRedistLog)" Cache="remove">
+                <ExePackagePayload Name="!(wix.DesktopNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)windowsdesktop-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.DesktopNetCoreRedistLink)" ProductName="Microsoft Windows Desktop Runtime - 3.1.12 (x86)" Description="Microsoft Windows Desktop Runtime - 3.1.12 (x86)" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Size="48590696" Version="3.1.12.29719" />
             </ExePackage>
         </PackageGroup>
     </Fragment>
@@ -50,8 +50,8 @@
         <WixVariable Id="DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)RepairArguments" Value="" Overridable="yes" />
 
         <PackageGroup Id="$(var.DotNetCoreRedistId)">
-            <ExePackage InstallArguments="$(var.DotNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.DotNetCoreRedistId)" Vital="yes" Permanent="yes" Protocol="burn" LogPathVariable="$(var.DotNetCoreRedistLog)" Cache="remove">
-                <ExePackagePayload Name="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)dotnet-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.DotNetCoreRedistLink)" ProductName="Microsoft .NET Core Runtime - 3.1.12 (x86)" Description="Microsoft .NET Core Runtime - 3.1.12 (x86)" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Hash="BA18F9028B19630D91017BEACCD8D79388125C228A83B5A62306108F3BB283617A7ED9B98785BC73192EC00E5D186DA767E940DCAB388699FAF274E437D0C16F" Size="23392184" Version="3.1.12.29719" />
+            <ExePackage CacheId="$(var.DotNetCoreRedistId)_2485A7AFA98E178CB8F30C9838346B514AEA4769" InstallArguments="$(var.DotNetCoreRedistInstallArguments)" PerMachine="yes" DetectCondition="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)DetectCondition)" InstallCondition="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)InstallCondition)" Id="$(var.DotNetCoreRedistId)" Vital="yes" Permanent="yes" Protocol="burn" LogPathVariable="$(var.DotNetCoreRedistLog)" Cache="remove">
+                <ExePackagePayload Name="!(wix.DotNetCoreRuntime$(var.NetCoreIdVersion)Redist$(var.NetCorePlatform)PackageDirectory)dotnet-runtime-$(var.NetCoreVersion)-win-$(var.NetCorePlatform).exe" DownloadUrl="$(var.DotNetCoreRedistLink)" ProductName="Microsoft .NET Core Runtime - 3.1.12 (x86)" Description="Microsoft .NET Core Runtime - 3.1.12 (x86)" CertificatePublicKey="3756E9BBF4461DCD0AA68E0D1FCFFA9CEA47AC18" CertificateThumbprint="2485A7AFA98E178CB8F30C9838346B514AEA4769" Size="23392184" Version="3.1.12.29719" />
             </ExePackage>
         </PackageGroup>
     </Fragment>
diff --git a/src/ext/NetFx/wixlib/NetFx462.wxs b/src/ext/NetFx/wixlib/NetFx462.wxs
index cafbee56..904d2be0 100644
--- a/src/ext/NetFx/wixlib/NetFx462.wxs
+++ b/src/ext/NetFx/wixlib/NetFx462.wxs
@@ -29,8 +29,8 @@
     <WixVariable Id="NetFx462WebPackageDirectory" Value="redist\" Overridable="yes" />
 
     <PackageGroup Id="$(var.NetFx462WebId)">
-      <ExePackage InstallArguments="/q /norestart /log &quot;[NetFx462FullLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx462WebDetectCondition)" InstallCondition="!(wix.NetFx462WebInstallCondition)" Id="$(var.NetFx462WebId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx462FullLog" Cache="remove">
-        <ExePackagePayload Name="!(wix.NetFx462WebPackageDirectory)NDP462-KB3151802-Web.exe" DownloadUrl="$(var.NetFx462WebLink)" ProductName="Microsoft .NET Framework 4.6.2" Description="Microsoft .NET Framework 4.6.2 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Hash="D944304952F35B6F49CDA0C6364B55CCB4DF92B134634E594B0496A346B496D3AB709655292595A5D86D44C86C81F19926F84EFF7B87608740B39C12441920A3" Size="1404536" Version="4.6.1590.0" />
+      <ExePackage CacheId="$(var.NetFx462WebId)_ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" InstallArguments="/q /norestart /log &quot;[NetFx462FullLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx462WebDetectCondition)" InstallCondition="!(wix.NetFx462WebInstallCondition)" Id="$(var.NetFx462WebId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx462FullLog" Cache="remove">
+        <ExePackagePayload Name="!(wix.NetFx462WebPackageDirectory)NDP462-KB3151802-Web.exe" DownloadUrl="$(var.NetFx462WebLink)" ProductName="Microsoft .NET Framework 4.6.2" Description="Microsoft .NET Framework 4.6.2 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Size="1404536" Version="4.6.1590.0" />
       </ExePackage>
     </PackageGroup>
   </Fragment>
@@ -51,8 +51,8 @@
     <WixVariable Id="NetFx462RedistPackageDirectory" Value="redist\" Overridable="yes" />
 
     <PackageGroup Id="$(var.NetFx462RedistId)">
-      <ExePackage InstallArguments="/q /norestart /log &quot;[NetFx462FullLog].html&quot;" UninstallArguments="/uninstall /q /norestart /log &quot;[NetFx462FullLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx462RedistDetectCondition)" InstallCondition="!(wix.NetFx462RedistInstallCondition)" Id="$(var.NetFx462RedistId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx462FullLog">
-        <ExePackagePayload Name="!(wix.NetFx462RedistPackageDirectory)NDP462-KB3151800-x86-x64-AllOS-ENU.exe" DownloadUrl="$(var.NetFx462RedistLink)" ProductName="Microsoft .NET Framework 4.6.2" Description="Microsoft .NET Framework 4.6.2 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Hash="045F1AB9AC0126D01494F933EF10DD81B2CC71E1C23A7F2871F06EBAE7A0538467A21ADB461FBFB5EB394BF80A850FF4DCA5EEFDEC17CC3714082018ED372F7A" Size="62000832" Version="4.6.1590.0" />
+      <ExePackage CacheId="$(var.NetFx462RedistId)_ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" InstallArguments="/q /norestart /log &quot;[NetFx462FullLog].html&quot;" UninstallArguments="/uninstall /q /norestart /log &quot;[NetFx462FullLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx462RedistDetectCondition)" InstallCondition="!(wix.NetFx462RedistInstallCondition)" Id="$(var.NetFx462RedistId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx462FullLog">
+        <ExePackagePayload Name="!(wix.NetFx462RedistPackageDirectory)NDP462-KB3151800-x86-x64-AllOS-ENU.exe" DownloadUrl="$(var.NetFx462RedistLink)" ProductName="Microsoft .NET Framework 4.6.2" Description="Microsoft .NET Framework 4.6.2 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Size="62000832" Version="4.6.1590.0" />
       </ExePackage>
     </PackageGroup>
   </Fragment>
diff --git a/src/ext/NetFx/wixlib/NetFx472.wxs b/src/ext/NetFx/wixlib/NetFx472.wxs
index b6d50e75..15cb0de2 100644
--- a/src/ext/NetFx/wixlib/NetFx472.wxs
+++ b/src/ext/NetFx/wixlib/NetFx472.wxs
@@ -29,8 +29,8 @@
     <WixVariable Id="NetFx472WebPackageDirectory" Value="redist\" Overridable="yes" />
 
     <PackageGroup Id="$(var.NetFx472WebId)">
-      <ExePackage InstallArguments="/q /norestart /log &quot;[NetFx472WebLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx472WebDetectCondition)" InstallCondition="!(wix.NetFx472WebInstallCondition)" Id="$(var.NetFx472WebId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx472WebLog" Cache="remove">
-        <ExePackagePayload Name="!(wix.NetFx472WebPackageDirectory)NDP472-KB4054531-Web.exe" DownloadUrl="$(var.NetFx472WebLink)" ProductName="Microsoft .NET Framework 4.7.2" Description="Microsoft .NET Framework 4.7.2 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Hash="99B1D7F9264E7D5AEA7B01B69EF541065030055A37CFD76F9846B3CC84FD6F2BAB612042D68DDF992BDA41553C493FB45830699BA5F56AB0AEE200CC539CC5D8" Size="1405792" Version="4.7.3081.0" />
+      <ExePackage CacheId="$(var.NetFx472WebId)_ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" InstallArguments="/q /norestart /log &quot;[NetFx472WebLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx472WebDetectCondition)" InstallCondition="!(wix.NetFx472WebInstallCondition)" Id="$(var.NetFx472WebId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx472WebLog" Cache="remove">
+        <ExePackagePayload Name="!(wix.NetFx472WebPackageDirectory)NDP472-KB4054531-Web.exe" DownloadUrl="$(var.NetFx472WebLink)" ProductName="Microsoft .NET Framework 4.7.2" Description="Microsoft .NET Framework 4.7.2 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Size="1405792" Version="4.7.3081.0" />
       </ExePackage>
     </PackageGroup>
   </Fragment>
@@ -51,8 +51,8 @@
     <WixVariable Id="NetFx472RedistPackageDirectory" Value="redist\" Overridable="yes" />
 
     <PackageGroup Id="$(var.NetFx472RedistId)">
-      <ExePackage InstallArguments="/q /norestart /log &quot;[NetFx472RedistLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx472RedistDetectCondition)" InstallCondition="!(wix.NetFx472RedistInstallCondition)" Id="$(var.NetFx472RedistId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx472RedistLog" Cache="remove">
-        <ExePackagePayload Name="!(wix.NetFx472RedistPackageDirectory)NDP472-KB4054530-x86-x64-AllOS-ENU.exe" DownloadUrl="$(var.NetFx472RedistLink)" ProductName="Microsoft .NET Framework 4.7.2" Description="Microsoft .NET Framework 4.7.2 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Hash="F4EA32D8189DD269FF02D68B39D7DE866AE5F46EEA5A71BF8F4715FB0E4F8B7AC64B274DFA7BFF69B52C719E65256906C8D92FDD355F52C977175AE3E1919098" Size="83940592" Version="4.7.3081.0" />
+      <ExePackage CacheId="$(var.NetFx472RedistId)_ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" InstallArguments="/q /norestart /log &quot;[NetFx472RedistLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx472RedistDetectCondition)" InstallCondition="!(wix.NetFx472RedistInstallCondition)" Id="$(var.NetFx472RedistId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx472RedistLog" Cache="remove">
+        <ExePackagePayload Name="!(wix.NetFx472RedistPackageDirectory)NDP472-KB4054530-x86-x64-AllOS-ENU.exe" DownloadUrl="$(var.NetFx472RedistLink)" ProductName="Microsoft .NET Framework 4.7.2" Description="Microsoft .NET Framework 4.7.2 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Size="83940592" Version="4.7.3081.0" />
       </ExePackage>
     </PackageGroup>
   </Fragment>
diff --git a/src/ext/NetFx/wixlib/NetFx48.wxs b/src/ext/NetFx/wixlib/NetFx48.wxs
index f23f08db..fc2f97f5 100644
--- a/src/ext/NetFx/wixlib/NetFx48.wxs
+++ b/src/ext/NetFx/wixlib/NetFx48.wxs
@@ -29,8 +29,8 @@
     <WixVariable Id="NetFx48WebPackageDirectory" Value="redist\" Overridable="yes" />
 
     <PackageGroup Id="$(var.NetFx48WebId)">
-      <ExePackage InstallArguments="/q /norestart /log &quot;[NetFx48WebLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx48WebDetectCondition)" InstallCondition="!(wix.NetFx48WebInstallCondition)" Id="$(var.NetFx48WebId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx48WebLog" Cache="remove">
-        <ExePackagePayload Name="!(wix.NetFx48WebPackageDirectory)ndp48-web.exe" DownloadUrl="$(var.NetFx48WebLink)" ProductName="Microsoft .NET Framework 4.8" Description="Microsoft .NET Framework 4.8 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Hash="642721C60D52051C7F3434D8710FE3406A7CFE10B2B39E90EA847719ED1697D7C614F2DF44AD50412B1DF8C98DD78FDC57CA1D047D28C81AC158092E5FB18040" Size="1439328" Version="4.8.4115.0" />
+      <ExePackage CacheId="$(var.NetFx48WebId)_ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" InstallArguments="/q /norestart /log &quot;[NetFx48WebLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx48WebDetectCondition)" InstallCondition="!(wix.NetFx48WebInstallCondition)" Id="$(var.NetFx48WebId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx48WebLog" Cache="remove">
+        <ExePackagePayload Name="!(wix.NetFx48WebPackageDirectory)ndp48-web.exe" DownloadUrl="$(var.NetFx48WebLink)" ProductName="Microsoft .NET Framework 4.8" Description="Microsoft .NET Framework 4.8 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Size="1439328" Version="4.8.4115.0" />
       </ExePackage>
     </PackageGroup>
   </Fragment>
@@ -51,8 +51,8 @@
     <WixVariable Id="NetFx48RedistPackageDirectory" Value="redist\" Overridable="yes" />
 
     <PackageGroup Id="$(var.NetFx48RedistId)">
-      <ExePackage InstallArguments="/q /norestart /log &quot;[NetFx48RedistLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx48RedistDetectCondition)" InstallCondition="!(wix.NetFx48RedistInstallCondition)" Id="$(var.NetFx48RedistId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx48RedistLog" Cache="remove">
-        <ExePackagePayload Name="!(wix.NetFx48RedistPackageDirectory)ndp48-x86-x64-allos-enu.exe" DownloadUrl="$(var.NetFx48RedistLink)" ProductName="Microsoft .NET Framework 4.8" Description="Microsoft .NET Framework 4.8 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Hash="FFB6C226AF4E5C8FFA7210D5115701883ABF12A8B1CBAE6E08122FB94DD93763468BFF5B00060EABEF19C147B0A4D8063DDE318D2B928CE397C58F7949736C5F" Size="121307088" Version="4.8.4115.0" />
+      <ExePackage CacheId="$(var.NetFx48RedistId)_ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" InstallArguments="/q /norestart /log &quot;[NetFx48RedistLog].html&quot;" PerMachine="yes" DetectCondition="!(wix.NetFx48RedistDetectCondition)" InstallCondition="!(wix.NetFx48RedistInstallCondition)" Id="$(var.NetFx48RedistId)" Vital="yes" Permanent="yes" Protocol="netfx4" LogPathVariable="NetFx48RedistLog" Cache="remove">
+        <ExePackagePayload Name="!(wix.NetFx48RedistPackageDirectory)ndp48-x86-x64-allos-enu.exe" DownloadUrl="$(var.NetFx48RedistLink)" ProductName="Microsoft .NET Framework 4.8" Description="Microsoft .NET Framework 4.8 Setup" CertificatePublicKey="F49F9B33E25E33CCA0BFB15A62B7C29FFAB3880B" CertificateThumbprint="ABDCA79AF9DD48A0EA702AD45260B3C03093FB4B" Size="121307088" Version="4.8.4115.0" />
       </ExePackage>
     </PackageGroup>
   </Fragment>
diff --git a/src/wix/WixToolset.Core.Burn/Bind/BindBundleCommand.cs b/src/wix/WixToolset.Core.Burn/Bind/BindBundleCommand.cs
index 348a4b41..82547487 100644
--- a/src/wix/WixToolset.Core.Burn/Bind/BindBundleCommand.cs
+++ b/src/wix/WixToolset.Core.Burn/Bind/BindBundleCommand.cs
@@ -189,7 +189,7 @@ namespace WixToolset.Core.Burn
 
                     case WixBundlePackageType.Exe:
                     {
-                        var command = new ProcessExePackageCommand(facade, payloadSymbols);
+                        var command = new ProcessExePackageCommand(this.Messaging, facade, payloadSymbols);
                         command.Execute();
                     }
                     break;
@@ -210,7 +210,7 @@ namespace WixToolset.Core.Burn
 
                     case WixBundlePackageType.Msu:
                     {
-                        var command = new ProcessMsuPackageCommand(facade, payloadSymbols);
+                        var command = new ProcessMsuPackageCommand(this.Messaging, facade, payloadSymbols);
                         command.Execute();
                     }
                     break;
diff --git a/src/wix/WixToolset.Core.Burn/Bundles/CacheIdGenerator.cs b/src/wix/WixToolset.Core.Burn/Bundles/CacheIdGenerator.cs
new file mode 100644
index 00000000..2efa748b
--- /dev/null
+++ b/src/wix/WixToolset.Core.Burn/Bundles/CacheIdGenerator.cs
@@ -0,0 +1,45 @@
+// Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information.
+
+namespace WixToolset.Core.Burn.Bundles
+{
+    using System;
+    using WixToolset.Data;
+    using WixToolset.Data.Symbols;
+    using WixToolset.Extensibility.Services;
+
+    internal static class CacheIdGenerator
+    {
+        // These are "reasonable" limits to trim the very long hashes so
+        // when used in a cache id we do not overflow MAX_PATH.
+        private const int ReasonableCountOfCharsFromCertificateThumbprint = 20;
+        private const int ReasonableUpperLimitForCacheId = 64;
+
+        public static string GenerateCacheIdFromPayloadHashAndThumbprint(WixBundlePayloadSymbol payloadSymbol)
+        {
+            var takeFromThumbprint = Math.Min(ReasonableCountOfCharsFromCertificateThumbprint, payloadSymbol.CertificateThumbprint.Length);
+            var takeFromHash = Math.Min(ReasonableUpperLimitForCacheId - takeFromThumbprint, payloadSymbol.Hash.Length);
+
+            return payloadSymbol.Hash.Substring(0, takeFromHash) + payloadSymbol.CertificateThumbprint.Substring(0, takeFromThumbprint);
+        }
+
+        public static string GenerateCacheIdFromPackagePayloadHash(IMessaging messaging, WixBundlePayloadSymbol packagePayload, string elementName)
+        {
+            string cacheId = null;
+
+            // If we are validating the package via certificate, the CacheId must be specified
+            // in source code.
+            if (!String.IsNullOrEmpty(packagePayload.CertificatePublicKey) || !String.IsNullOrEmpty(packagePayload.CertificateThumbprint))
+            {
+                var oneOfCertificateAttributeNames = !String.IsNullOrEmpty(packagePayload.CertificatePublicKey) ? "CertificatePublicKey" : "CertificateThumbprint";
+
+                messaging.Write(ErrorMessages.ExpectedAttribute(packagePayload.SourceLineNumbers, elementName, "CacheId", oneOfCertificateAttributeNames));
+            }
+            else // validating package by hashing, so the CacheId can be defaulted to the hash with a "reasonable" upper limit since the CacheId is in the cached file path.
+            {
+                cacheId = packagePayload.Hash.Length > ReasonableUpperLimitForCacheId ? packagePayload.Hash.Substring(0, ReasonableUpperLimitForCacheId) : packagePayload.Hash;
+            }
+
+            return cacheId;
+        }
+    }
+}
diff --git a/src/wix/WixToolset.Core.Burn/Bundles/ProcessExePackageCommand.cs b/src/wix/WixToolset.Core.Burn/Bundles/ProcessExePackageCommand.cs
index 8d8ea986..3307db47 100644
--- a/src/wix/WixToolset.Core.Burn/Bundles/ProcessExePackageCommand.cs
+++ b/src/wix/WixToolset.Core.Burn/Bundles/ProcessExePackageCommand.cs
@@ -4,19 +4,24 @@ namespace WixToolset.Core.Burn.Bundles
 {
     using System;
     using System.Collections.Generic;
+    using WixToolset.Data;
     using WixToolset.Data.Symbols;
+    using WixToolset.Extensibility.Services;
 
     /// <summary>
     /// Initializes package state from the Exe contents.
     /// </summary>
     internal class ProcessExePackageCommand
     {
-        public ProcessExePackageCommand(PackageFacade facade, Dictionary<string, WixBundlePayloadSymbol> payloadSymbols)
+        public ProcessExePackageCommand(IMessaging messaging, PackageFacade facade, Dictionary<string, WixBundlePayloadSymbol> payloadSymbols)
         {
-            this.AuthoredPayloads = payloadSymbols;
+            this.Messaging = messaging;
             this.Facade = facade;
+            this.AuthoredPayloads = payloadSymbols;
         }
 
+        public IMessaging Messaging { get; }
+
         public Dictionary<string, WixBundlePayloadSymbol> AuthoredPayloads { get; }
 
         public PackageFacade Facade { get; }
@@ -30,7 +35,7 @@ namespace WixToolset.Core.Burn.Bundles
 
             if (String.IsNullOrEmpty(this.Facade.PackageSymbol.CacheId))
             {
-                this.Facade.PackageSymbol.CacheId = packagePayload.Hash;
+                this.Facade.PackageSymbol.CacheId = CacheIdGenerator.GenerateCacheIdFromPackagePayloadHash(this.Messaging, packagePayload, "ExePackage");
             }
 
             this.Facade.PackageSymbol.Version = packagePayload.Version;
diff --git a/src/wix/WixToolset.Core.Burn/Bundles/ProcessMsuPackageCommand.cs b/src/wix/WixToolset.Core.Burn/Bundles/ProcessMsuPackageCommand.cs
index 4c61f6d7..b61956a2 100644
--- a/src/wix/WixToolset.Core.Burn/Bundles/ProcessMsuPackageCommand.cs
+++ b/src/wix/WixToolset.Core.Burn/Bundles/ProcessMsuPackageCommand.cs
@@ -6,18 +6,22 @@ namespace WixToolset.Core.Burn.Bundles
     using System.Collections.Generic;
     using WixToolset.Data;
     using WixToolset.Data.Symbols;
+    using WixToolset.Extensibility.Services;
 
     /// <summary>
     /// Processes the Msu packages to add properties and payloads from the Msu packages.
     /// </summary>
     internal class ProcessMsuPackageCommand
     {
-        public ProcessMsuPackageCommand(PackageFacade facade, Dictionary<string, WixBundlePayloadSymbol> payloadSymbols)
+        public ProcessMsuPackageCommand(IMessaging messaging, PackageFacade facade, Dictionary<string, WixBundlePayloadSymbol> payloadSymbols)
         {
-            this.AuthoredPayloads = payloadSymbols;
+            this.Messaging = messaging;
             this.Facade = facade;
+            this.AuthoredPayloads = payloadSymbols;
         }
 
+        public IMessaging Messaging { get; }
+
         public Dictionary<string, WixBundlePayloadSymbol> AuthoredPayloads { private get; set; }
 
         public PackageFacade Facade { private get; set; }
@@ -28,7 +32,7 @@ namespace WixToolset.Core.Burn.Bundles
 
             if (String.IsNullOrEmpty(this.Facade.PackageSymbol.CacheId))
             {
-                this.Facade.PackageSymbol.CacheId = packagePayload.Hash;
+                this.Facade.PackageSymbol.CacheId = CacheIdGenerator.GenerateCacheIdFromPackagePayloadHash(this.Messaging, packagePayload, "MsuPackage");
             }
 
             this.Facade.PackageSymbol.PerMachine = true; // MSUs are always per-machine.
diff --git a/src/wix/WixToolset.Core.Burn/CommandLine/RemotePayloadSubcommand.cs b/src/wix/WixToolset.Core.Burn/CommandLine/RemotePayloadSubcommand.cs
index e812bc8a..83b10c7c 100644
--- a/src/wix/WixToolset.Core.Burn/CommandLine/RemotePayloadSubcommand.cs
+++ b/src/wix/WixToolset.Core.Burn/CommandLine/RemotePayloadSubcommand.cs
@@ -19,6 +19,9 @@ namespace WixToolset.Core.Burn.CommandLine
 
     internal class RemotePayloadSubcommand : BurnSubcommandBase
     {
+        private static readonly XName BundlePackageName = "BundlePackage";
+        private static readonly XName ExePackageName = "ExePackage";
+        private static readonly XName MsuPackageName = "MsuPackage";
         private static readonly XName BundlePackagePayloadName = "BundlePackagePayload";
         private static readonly XName ExePackagePayloadName = "ExePackagePayload";
         private static readonly XName MsuPackagePayloadName = "MsuPackagePayload";
@@ -80,7 +83,7 @@ namespace WixToolset.Core.Burn.CommandLine
                 this.IntermediateFolder = Path.GetTempPath();
             }
 
-            var elements = this.HarvestRemotePayloads(inputPaths);
+            var element = this.HarvestPackageElement(inputPaths);
 
             if (!this.Messaging.EncounteredError)
             {
@@ -89,14 +92,11 @@ namespace WixToolset.Core.Burn.CommandLine
                     var outputFolder = Path.GetDirectoryName(this.OutputPath);
                     Directory.CreateDirectory(outputFolder);
 
-                    File.WriteAllLines(this.OutputPath, elements.Select(e => e.ToString()));
+                    File.WriteAllText(this.OutputPath, element.ToString());
                 }
                 else
                 {
-                    foreach (var element in elements)
-                    {
-                        Console.WriteLine(element);
-                    }
+                    Console.WriteLine(element.ToString());
                 }
             }
 
@@ -189,10 +189,51 @@ namespace WixToolset.Core.Burn.CommandLine
             return result.Distinct(StringComparer.OrdinalIgnoreCase).ToList();
         }
 
-        private IEnumerable<XElement> HarvestRemotePayloads(IEnumerable<string> paths)
+        private XElement HarvestPackageElement(IEnumerable<string> paths)
+        {
+            var harvestedFiles = this.HarvestRemotePayloads(paths).ToList();
+
+            XElement element;
+
+            switch (harvestedFiles[0].PackageType)
+            {
+                case WixBundlePackageType.Bundle:
+                    element = new XElement(BundlePackageName);
+                    break;
+
+                case WixBundlePackageType.Exe:
+                    element = new XElement(ExePackageName);
+                    break;
+
+                case WixBundlePackageType.Msu:
+                    element = new XElement(MsuPackageName);
+                    break;
+
+                default:
+                    return null;
+            }
+
+            var packagePayloadFile = harvestedFiles.FirstOrDefault();
+
+            if (packagePayloadFile != null)
+            {
+                if (packagePayloadFile.Element.Attribute("CertificateThumbprint") != null)
+                {
+                    var cacheId = CacheIdGenerator.GenerateCacheIdFromPayloadHashAndThumbprint(packagePayloadFile.PayloadSymbol);
+
+                    element.Add(new XAttribute("CacheId", cacheId));
+                }
+
+                element.Add(harvestedFiles.Select(h => h.Element));
+            }
+
+            return element;
+        }
+
+        private IEnumerable<HarvestedFile> HarvestRemotePayloads(IEnumerable<string> paths)
         {
             var first = true;
-            var hashes = this.GetHashes(paths);
+            var hashes = this.GetCertificateHashes(paths);
 
             foreach (var path in paths)
             {
@@ -204,22 +245,22 @@ namespace WixToolset.Core.Burn.CommandLine
                     continue;
                 }
 
+                yield return harvestedFile;
+
                 if (harvestedFile.PackagePayloads.Any())
                 {
-                    var packageHashes = this.GetHashes(harvestedFile.PackagePayloads.Select(x => x.SourceFile.Path));
+                    var packageCertificateHashes = this.GetCertificateHashes(harvestedFile.PackagePayloads.Select(x => x.SourceFile.Path));
 
                     foreach (var payloadSymbol in harvestedFile.PackagePayloads)
                     {
-                        var harvestedPackageFile = this.HarvestFile(payloadSymbol.SourceFile.Path, false, packageHashes);
-                        yield return harvestedPackageFile.Element;
+                        var harvestedPackageFile = this.HarvestFile(payloadSymbol.SourceFile.Path, false, packageCertificateHashes);
+                        yield return harvestedPackageFile;
                     }
                 }
-
-                yield return harvestedFile.Element;
             }
         }
 
-        private Dictionary<string, CertificateHashes> GetHashes(IEnumerable<string> paths)
+        private Dictionary<string, CertificateHashes> GetCertificateHashes(IEnumerable<string> paths)
         {
             var hashes = new Dictionary<string, CertificateHashes>();
 
@@ -233,7 +274,7 @@ namespace WixToolset.Core.Burn.CommandLine
             return hashes;
         }
 
-        private HarvestedFile HarvestFile(string path, bool isPackage, Dictionary<string, CertificateHashes> hashes)
+        private HarvestedFile HarvestFile(string path, bool isPackage, Dictionary<string, CertificateHashes> certificateHashes)
         {
             XElement element;
             WixBundlePackageType? packageType = null;
@@ -274,7 +315,7 @@ namespace WixToolset.Core.Burn.CommandLine
             var payloadSymbol = new WixBundlePayloadSymbol(null, new Identifier(AccessModifier.Section, "id"))
             {
                 SourceFile = new IntermediateFieldPathValue { Path = path },
-                Name = Path.GetFileName(path),
+                Name = this.GetRelativeFileName(path),
             };
 
             this.PayloadHarvester.HarvestStandardInformation(payloadSymbol);
@@ -293,22 +334,18 @@ namespace WixToolset.Core.Burn.CommandLine
 
             if (!String.IsNullOrEmpty(this.DownloadUrl))
             {
-                var filename = this.GetRelativeFileName(payloadSymbol.SourceFile.Path);
-                var formattedUrl = String.Format(this.DownloadUrl, filename);
-
-                if (Uri.TryCreate(formattedUrl, UriKind.Absolute, out var url))
-                {
-                    element.Add(new XAttribute("DownloadUrl", url.AbsoluteUri));
-                }
+                element.Add(new XAttribute("DownloadUrl", this.DownloadUrl));
             }
 
-            if (hashes.TryGetValue(path, out var certificateHashes))
+            if (certificateHashes.TryGetValue(path, out var certificateHashForPath))
             {
-                element.Add(new XAttribute("CertificatePublicKey", certificateHashes.PublicKey));
-                element.Add(new XAttribute("CertificateThumbprint", certificateHashes.Thumbprint));
-            }
+                payloadSymbol.CertificatePublicKey = certificateHashForPath.PublicKey;
+                payloadSymbol.CertificateThumbprint = certificateHashForPath.Thumbprint;
 
-            if (!String.IsNullOrEmpty(payloadSymbol.Hash))
+                element.Add(new XAttribute("CertificatePublicKey", payloadSymbol.CertificatePublicKey));
+                element.Add(new XAttribute("CertificateThumbprint", payloadSymbol.CertificateThumbprint));
+            }
+            else if (!String.IsNullOrEmpty(payloadSymbol.Hash))
             {
                 element.Add(new XAttribute("Hash", payloadSymbol.Hash));
             }
@@ -326,6 +363,7 @@ namespace WixToolset.Core.Burn.CommandLine
             var harvestedFile = new HarvestedFile
             {
                 Element = element,
+                PackageType = packageType,
                 PayloadSymbol = payloadSymbol,
             };
 
@@ -418,7 +456,11 @@ namespace WixToolset.Core.Burn.CommandLine
         private class HarvestedFile
         {
             public XElement Element { get; set; }
+
+            public WixBundlePackageType? PackageType { get; internal set; }
+
             public WixBundlePayloadSymbol PayloadSymbol { get; set; }
+
             public List<WixBundlePayloadSymbol> PackagePayloads { get; } = new List<WixBundlePayloadSymbol>();
         }
     }
diff --git a/src/wix/WixToolset.Core/Compile/CompilerPayload.cs b/src/wix/WixToolset.Core/Compile/CompilerPayload.cs
index 2cdc70cf..98ab1579 100644
--- a/src/wix/WixToolset.Core/Compile/CompilerPayload.cs
+++ b/src/wix/WixToolset.Core/Compile/CompilerPayload.cs
@@ -145,18 +145,11 @@ namespace WixToolset.Core
                         this.Core.Write(ErrorMessages.ExpectedAttributeWithoutOtherAttribute(this.SourceLineNumbers, this.Element.Name.LocalName, "Name", "SourceFile"));
                     }
 
-                    if (!this.Size.HasValue)
-                    {
-                        this.Core.Write(ErrorMessages.ExpectedAttributeWithoutOtherAttribute(this.SourceLineNumbers, this.Element.Name.LocalName, "Size", "SourceFile"));
-                    }
-
-                    if (String.IsNullOrEmpty(this.Hash))
-                    {
-                        this.Core.Write(ErrorMessages.ExpectedAttributeWithoutOtherAttribute(this.SourceLineNumbers, this.Element.Name.LocalName, "Hash", "SourceFile"));
-                    }
-
+                    // If remote payload is being verified by a certificate.
                     if (!String.IsNullOrEmpty(this.CertificatePublicKey) || !String.IsNullOrEmpty(this.CertificateThumbprint))
                     {
+                        var oneOfCertificateAttributeNames = !String.IsNullOrEmpty(this.CertificatePublicKey) ? "CertificatePublicKey" : "CertificateThumbprint";
+
                         if (String.IsNullOrEmpty(this.CertificateThumbprint))
                         {
                             this.Core.Write(ErrorMessages.ExpectedAttribute(this.SourceLineNumbers, this.Element.Name.LocalName, "CertificateThumbprint", "CertificatePublicKey"));
@@ -165,6 +158,23 @@ namespace WixToolset.Core
                         {
                             this.Core.Write(ErrorMessages.ExpectedAttribute(this.SourceLineNumbers, this.Element.Name.LocalName, "CertificatePublicKey", "CertificateThumbprint"));
                         }
+
+                        if (!String.IsNullOrEmpty(this.Hash))
+                        {
+                            this.Core.Write(ErrorMessages.IllegalAttributeWithOtherAttribute(this.SourceLineNumbers, this.Element.Name.LocalName, "Hash", oneOfCertificateAttributeNames));
+                        }
+                    }
+                    else // payload is being verified by hash.
+                    {
+                        if (String.IsNullOrEmpty(this.Hash))
+                        {
+                            this.Core.Write(ErrorMessages.ExpectedAttributeWithoutOtherAttribute(this.SourceLineNumbers, this.Element.Name.LocalName, "Hash", "SourceFile"));
+                        }
+
+                        if (!this.Size.HasValue)
+                        {
+                            this.Core.Write(ErrorMessages.ExpectedAttributeWithoutOtherAttribute(this.SourceLineNumbers, this.Element.Name.LocalName, "Size", "SourceFile"));
+                        }
                     }
 
                     if (YesNoDefaultType.Yes == this.Compressed)
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/ExePackageFixture.cs b/src/wix/test/WixToolsetTest.CoreIntegration/ExePackageFixture.cs
index cebed367..0dba95e1 100644
--- a/src/wix/test/WixToolsetTest.CoreIntegration/ExePackageFixture.cs
+++ b/src/wix/test/WixToolsetTest.CoreIntegration/ExePackageFixture.cs
@@ -443,5 +443,32 @@ namespace WixToolsetTest.CoreIntegration
                 Assert.Equal(401, result.ExitCode);
             }
         }
+
+        [Fact]
+        public void CannotBuildBundleWithExePackageUsingCertificateVerificationWithoutCacheId()
+        {
+            var dotDatafolder = TestData.Get(@"TestData", ".Data");
+            var folder = TestData.Get(@"TestData", "ExePackage");
+
+            using (var fs = new DisposableFileSystem())
+            {
+                var baseFolder = fs.GetFolder();
+                var intermediateFolder = Path.Combine(baseFolder, "obj");
+
+                var result = WixRunner.Execute(new[]
+                {
+                    "build",
+                    Path.Combine(folder, "UseCertificateVerificationWithoutCacheId.wxs"),
+                    "-bindpath", Path.Combine(folder, "data"),
+                    "-bindpath", dotDatafolder,
+                    "-intermediateFolder", intermediateFolder,
+                    "-o", Path.Combine(baseFolder, "bin", "test.exe")
+                });
+
+                Assert.Equal(10, result.ExitCode);
+                var message = result.Messages.Single();
+                Assert.Equal("The ExePackage/@CacheId attribute was not found; it is required when attribute CertificatePublicKey is specified.", message.ToString());
+            }
+        }
     }
 }
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/MsuPackageFixture.cs b/src/wix/test/WixToolsetTest.CoreIntegration/MsuPackageFixture.cs
index 475afcf0..37499ea9 100644
--- a/src/wix/test/WixToolsetTest.CoreIntegration/MsuPackageFixture.cs
+++ b/src/wix/test/WixToolsetTest.CoreIntegration/MsuPackageFixture.cs
@@ -3,6 +3,7 @@
 namespace WixToolsetTest.CoreIntegration
 {
     using System.IO;
+    using System.Linq;
     using WixBuildTools.TestSupport;
     using WixToolset.Core.TestPackage;
     using Xunit;
@@ -12,6 +13,7 @@ namespace WixToolsetTest.CoreIntegration
         [Fact]
         public void CanBuildBundleWithMsuPackage()
         {
+            var dotDatafolder = TestData.Get(@"TestData", ".Data");
             var folder = TestData.Get(@"TestData", "MsuPackage");
 
             using (var fs = new DisposableFileSystem())
@@ -24,6 +26,7 @@ namespace WixToolsetTest.CoreIntegration
                     "build",
                     Path.Combine(folder, "Bundle.wxs"),
                     "-bindpath", Path.Combine(folder, "data"),
+                    "-bindpath", dotDatafolder,
                     "-intermediateFolder", intermediateFolder,
                     "-o", Path.Combine(baseFolder, "bin", "test.exe")
                 });
@@ -32,5 +35,58 @@ namespace WixToolsetTest.CoreIntegration
                 Assert.True(File.Exists(Path.Combine(baseFolder, "bin", "test.exe")));
             }
         }
+
+        [Fact]
+        public void CanBuildBundleWithMsuPackageUsingCertificateVerification()
+        {
+            var dotDatafolder = TestData.Get(@"TestData", ".Data");
+            var folder = TestData.Get(@"TestData", "MsuPackage");
+
+            using (var fs = new DisposableFileSystem())
+            {
+                var baseFolder = fs.GetFolder();
+                var intermediateFolder = Path.Combine(baseFolder, "obj");
+
+                var result = WixRunner.Execute(new[]
+                {
+                    "build",
+                    Path.Combine(folder, "BundleUsingCertificateVerification.wxs"),
+                    "-bindpath", Path.Combine(folder, "data"),
+                    "-bindpath", dotDatafolder,
+                    "-intermediateFolder", intermediateFolder,
+                    "-o", Path.Combine(baseFolder, "bin", "test.exe")
+                });
+
+                result.AssertSuccess();
+                Assert.True(File.Exists(Path.Combine(baseFolder, "bin", "test.exe")));
+            }
+        }
+
+        [Fact]
+        public void CannotBuildBundleWithMsuPackageUsingCertificateVerificationWithoutCacheId()
+        {
+            var dotDatafolder = TestData.Get(@"TestData", ".Data");
+            var folder = TestData.Get(@"TestData", "MsuPackage");
+
+            using (var fs = new DisposableFileSystem())
+            {
+                var baseFolder = fs.GetFolder();
+                var intermediateFolder = Path.Combine(baseFolder, "obj");
+
+                var result = WixRunner.Execute(new[]
+                {
+                    "build",
+                    Path.Combine(folder, "BundleUsingCertificateVerificationWithoutCacheId.wxs"),
+                    "-bindpath", Path.Combine(folder, "data"),
+                    "-bindpath", dotDatafolder,
+                    "-intermediateFolder", intermediateFolder,
+                    "-o", Path.Combine(baseFolder, "bin", "test.exe")
+                });
+
+                Assert.Equal(10, result.ExitCode);
+                var message = result.Messages.Single();
+                Assert.Equal("The MsuPackage/@CacheId attribute was not found; it is required when attribute CertificatePublicKey is specified.", message.ToString());
+            }
+        }
     }
 }
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/PackagePayloadFixture.cs b/src/wix/test/WixToolsetTest.CoreIntegration/PackagePayloadFixture.cs
index 39caf8fd..f817317d 100644
--- a/src/wix/test/WixToolsetTest.CoreIntegration/PackagePayloadFixture.cs
+++ b/src/wix/test/WixToolsetTest.CoreIntegration/PackagePayloadFixture.cs
@@ -336,8 +336,9 @@ namespace WixToolsetTest.CoreIntegration
                 WixAssert.CompareLineByLine(new[]
                 {
                     "The ExePackagePayload/@CertificatePublicKey attribute was not found; it is required when attribute CertificateThumbprint is specified.",
+                    "The ExePackagePayload/@Hash attribute cannot be specified when attribute CertificateThumbprint is present."
                 }, result.Messages.Select(m => m.ToString()).ToArray());
-                Assert.Equal(10, result.ExitCode);
+                Assert.Equal(35, result.ExitCode);
             }
         }
 
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/RemotePayloadFixture.cs b/src/wix/test/WixToolsetTest.CoreIntegration/RemotePayloadFixture.cs
index 9336a635..fc105880 100644
--- a/src/wix/test/WixToolsetTest.CoreIntegration/RemotePayloadFixture.cs
+++ b/src/wix/test/WixToolsetTest.CoreIntegration/RemotePayloadFixture.cs
@@ -2,6 +2,7 @@
 
 namespace WixToolsetTest.CoreIntegration
 {
+    using System;
     using System.Collections.Generic;
     using System.IO;
     using System.Linq;
@@ -59,9 +60,11 @@ namespace WixToolsetTest.CoreIntegration
                 };
                 WixAssert.StringEqual(
                     "<root>" +
+                    "<BundlePackage>" +
                     "<BundlePackagePayload Name='test.exe' ProductName='DiversePayloadsBundle' Description='DiversePayloadsBundle' Hash='*' Size='*' Version='1.0.0.0'>" +
                     "<RemoteBundle BundleId='*' DisplayName='DiversePayloadsBundle' EngineVersion='*' InstallSize='3790116' ManifestNamespace='http://wixtoolset.org/schemas/v4/2008/Burn' PerMachine='yes' ProviderKey='*' ProtocolVersion='1' Version='1.0.0.0' Win64='no' UpgradeCode='{FEF1D2B8-4737-4A2A-9F91-77F7294FB55B}' />" +
                     "</BundlePackagePayload>" +
+                    "</BundlePackage>" +
                     "</root>", xml.GetFragmentTestXml(ignoreAttributesByElementName));
 
                 // ExternalWithoutDownloadUrl
@@ -81,13 +84,15 @@ namespace WixToolsetTest.CoreIntegration
                 xml = File.ReadAllText(externalWithoutDownloadUrlOutFile);
                 WixAssert.StringEqual(
                     "<root>" +
+                    "<BundlePackage>" +
+                    "<BundlePackagePayload Name='test.exe' ProductName='DiversePayloadsBundle' Description='DiversePayloadsBundle' Hash='*' Size='*' Version='1.0.0.0'>" +
+                    "<RemoteBundle BundleId='*' DisplayName='DiversePayloadsBundle' EngineVersion='*' InstallSize='3790116' ManifestNamespace='http://wixtoolset.org/schemas/v4/2008/Burn' PerMachine='yes' ProviderKey='*' ProtocolVersion='1' Version='1.0.0.0' Win64='no' UpgradeCode='{FEF1D2B8-4737-4A2A-9F91-77F7294FB55B}' />" +
+                    "</BundlePackagePayload>" +
                     "<Payload Name='External.cab' Hash='*' Size='*' />" +
                     "<Payload Name='test.msi' Hash='*' Size='*' />" +
                     "<Payload Name='test.txt' Hash='*' Size='*' />" +
                     "<Payload Name='Shared.dll' Hash='*' Size='*' />" +
-                    "<BundlePackagePayload Name='test.exe' ProductName='DiversePayloadsBundle' Description='DiversePayloadsBundle' Hash='*' Size='*' Version='1.0.0.0'>" +
-                    "<RemoteBundle BundleId='*' DisplayName='DiversePayloadsBundle' EngineVersion='*' InstallSize='3790116' ManifestNamespace='http://wixtoolset.org/schemas/v4/2008/Burn' PerMachine='yes' ProviderKey='*' ProtocolVersion='1' Version='1.0.0.0' Win64='no' UpgradeCode='{FEF1D2B8-4737-4A2A-9F91-77F7294FB55B}' />" +
-                    "</BundlePackagePayload>" +
+                    "</BundlePackage>" +
                     "</root>", xml.GetFragmentTestXml(ignoreAttributesByElementName));
 
                 // External
@@ -107,14 +112,16 @@ namespace WixToolsetTest.CoreIntegration
                 xml = File.ReadAllText(externalOutFile);
                 WixAssert.StringEqual(
                     "<root>" +
+                    "<BundlePackage>" +
+                    "<BundlePackagePayload Name='test.exe' ProductName='DiversePayloadsBundle' Description='DiversePayloadsBundle' Hash='*' Size='*' Version='1.0.0.0'>" +
+                    "<RemoteBundle BundleId='*' DisplayName='DiversePayloadsBundle' EngineVersion='*' InstallSize='3790116' ManifestNamespace='http://wixtoolset.org/schemas/v4/2008/Burn' PerMachine='yes' ProviderKey='*' ProtocolVersion='1' Version='1.0.0.0' Win64='no' UpgradeCode='{FEF1D2B8-4737-4A2A-9F91-77F7294FB55B}' />" +
+                    "</BundlePackagePayload>" +
                     "<Payload Name='External.cab' Hash='*' Size='*' />" +
                     "<Payload Name='Windows8.1-KB2937592-x86.msu' Hash='*' Size='*' />" +
                     "<Payload Name='test.msi' Hash='*' Size='*' />" +
                     "<Payload Name='test.txt' Hash='*' Size='*' />" +
                     "<Payload Name='Shared.dll' Hash='*' Size='*' />" +
-                    "<BundlePackagePayload Name='test.exe' ProductName='DiversePayloadsBundle' Description='DiversePayloadsBundle' Hash='*' Size='*' Version='1.0.0.0'>" +
-                    "<RemoteBundle BundleId='*' DisplayName='DiversePayloadsBundle' EngineVersion='*' InstallSize='3790116' ManifestNamespace='http://wixtoolset.org/schemas/v4/2008/Burn' PerMachine='yes' ProviderKey='*' ProtocolVersion='1' Version='1.0.0.0' Win64='no' UpgradeCode='{FEF1D2B8-4737-4A2A-9F91-77F7294FB55B}' />" +
-                    "</BundlePackagePayload>" +
+                    "</BundlePackage>" +
                     "</root>", xml.GetFragmentTestXml(ignoreAttributesByElementName));
 
                 // All
@@ -134,15 +141,17 @@ namespace WixToolsetTest.CoreIntegration
                 xml = File.ReadAllText(allOutFile);
                 WixAssert.StringEqual(
                     "<root>" +
+                    "<BundlePackage>" +
+                    "<BundlePackagePayload Name='test.exe' ProductName='DiversePayloadsBundle' Description='DiversePayloadsBundle' Hash='*' Size='*' Version='1.0.0.0'>" +
+                    "<RemoteBundle BundleId='*' DisplayName='DiversePayloadsBundle' EngineVersion='*' InstallSize='3790116' ManifestNamespace='http://wixtoolset.org/schemas/v4/2008/Burn' PerMachine='yes' ProviderKey='*' ProtocolVersion='1' Version='1.0.0.0' Win64='no' UpgradeCode='{FEF1D2B8-4737-4A2A-9F91-77F7294FB55B}' />" +
+                    "</BundlePackagePayload>" +
                     "<Payload Name='External.cab' Hash='*' Size='*' />" +
                     "<Payload Name='signed_bundle_engine.exe' ProductName='~TestBundle' Description='~TestBundle' Hash='*' Size='*' Version='1.0.0.0' />" +
                     "<Payload Name='Windows8.1-KB2937592-x86.msu' Hash='*' Size='*' />" +
                     "<Payload Name='test.msi' Hash='*' Size='*' />" +
                     "<Payload Name='test.txt' Hash='*' Size='*' />" +
                     "<Payload Name='Shared.dll' Hash='*' Size='*' />" +
-                    "<BundlePackagePayload Name='test.exe' ProductName='DiversePayloadsBundle' Description='DiversePayloadsBundle' Hash='*' Size='*' Version='1.0.0.0'>" +
-                    "<RemoteBundle BundleId='*' DisplayName='DiversePayloadsBundle' EngineVersion='*' InstallSize='3790116' ManifestNamespace='http://wixtoolset.org/schemas/v4/2008/Burn' PerMachine='yes' ProviderKey='*' ProtocolVersion='1' Version='1.0.0.0' Win64='no' UpgradeCode='{FEF1D2B8-4737-4A2A-9F91-77F7294FB55B}' />" +
-                    "</BundlePackagePayload>" +
+                    "</BundlePackage>" +
                     "</root>", xml.GetFragmentTestXml(ignoreAttributesByElementName));
             }
         }
@@ -173,9 +182,11 @@ namespace WixToolsetTest.CoreIntegration
 
                 WixAssert.CompareLineByLine(new[]
                 {
-                    "<BundlePackagePayload Name='v3bundle.exe' ProductName='CustomV3Theme' Description='CustomV3Theme' DownloadUrl='https://www.example.com/files/v3bundle.exe' Hash='80739E7B8C31D75B4CDC48D60D74F5E481CB904212A3AE3FB0920365A163FBF32B0C5C175AB516D4124F107923E96200605DE1D560D362FEB47350FA727823B4' Size='648397' Version='1.0.0.0'>",
-                    "  <RemoteBundle BundleId='{215A70DB-AB35-48C7-BE51-D66EAAC87177}' DisplayName='CustomV3Theme' InstallSize='1135' ManifestNamespace='http://schemas.microsoft.com/wix/2008/Burn' PerMachine='yes' ProviderKey='{215a70db-ab35-48c7-be51-d66eaac87177}' ProtocolVersion='1' Version='1.0.0.0' Win64='no' UpgradeCode='{2BF4C01F-C132-4E70-97AB-2BC68C7CCD10}' />",
-                    "</BundlePackagePayload>",
+                    "<BundlePackage>",
+                    "  <BundlePackagePayload Name='v3bundle.exe' ProductName='CustomV3Theme' Description='CustomV3Theme' DownloadUrl='https://www.example.com/files/{0}' Hash='80739E7B8C31D75B4CDC48D60D74F5E481CB904212A3AE3FB0920365A163FBF32B0C5C175AB516D4124F107923E96200605DE1D560D362FEB47350FA727823B4' Size='648397' Version='1.0.0.0'>",
+                    "    <RemoteBundle BundleId='{215A70DB-AB35-48C7-BE51-D66EAAC87177}' DisplayName='CustomV3Theme' InstallSize='1135' ManifestNamespace='http://schemas.microsoft.com/wix/2008/Burn' PerMachine='yes' ProviderKey='{215a70db-ab35-48c7-be51-d66eaac87177}' ProtocolVersion='1' Version='1.0.0.0' Win64='no' UpgradeCode='{2BF4C01F-C132-4E70-97AB-2BC68C7CCD10}' />",
+                    "  </BundlePackagePayload>",
+                    "</BundlePackage>",
                 }, elements);
             }
         }
@@ -205,7 +216,9 @@ namespace WixToolsetTest.CoreIntegration
 
                 WixAssert.CompareLineByLine(new[]
                 {
-                    @"<ExePackagePayload Name='burn.exe' ProductName='Windows Installer XML Toolset' Description='WiX Toolset Bootstrapper' DownloadUrl='https://www.example.com/files/burn.exe' Hash='F6E722518AC3AB7E31C70099368D5770788C179AA23226110DCF07319B1E1964E246A1E8AE72E2CF23E0138AFC281BAFDE45969204405E114EB20C8195DA7E5E' Size='463360' Version='3.14.0.1703' />",
+                    @"<ExePackage>",
+                    @"  <ExePackagePayload Name='burn.exe' ProductName='Windows Installer XML Toolset' Description='WiX Toolset Bootstrapper' DownloadUrl='https://www.example.com/files/{0}' Hash='F6E722518AC3AB7E31C70099368D5770788C179AA23226110DCF07319B1E1964E246A1E8AE72E2CF23E0138AFC281BAFDE45969204405E114EB20C8195DA7E5E' Size='463360' Version='3.14.0.1703' />",
+                    @"</ExePackage>",
                 }, elements);
             }
         }
@@ -234,12 +247,76 @@ namespace WixToolsetTest.CoreIntegration
 
                 WixAssert.CompareLineByLine(new[]
                 {
-                    @"<MsuPackagePayload Name='Windows8.1-KB2937592-x86.msu' Hash='904ADEA6AB675ACE16483138BF3F5850FD56ACB6E3A13AFA7263ED49C68CCE6CF84D6AAD6F99AAF175A95EE1A56C787C5AD968019056490B1073E7DBB7B9B7BE' Size='309544' />",
+                    @"<MsuPackage>",
+                    @"  <MsuPackagePayload Name='Windows8.1-KB2937592-x86.msu' Hash='904ADEA6AB675ACE16483138BF3F5850FD56ACB6E3A13AFA7263ED49C68CCE6CF84D6AAD6F99AAF175A95EE1A56C787C5AD968019056490B1073E7DBB7B9B7BE' Size='309544' />",
+                    @"</MsuPackage>"
                 }, elements);
             }
         }
 
         [Fact]
+        public void CanGetRemoteMsuPayloadWithCertificate()
+        {
+            var folder = TestData.Get(@"TestData");
+
+            using (var fs = new DisposableFileSystem())
+            {
+                var outputFolder = fs.GetFolder();
+                var outFile = Path.Combine(outputFolder, "out.xml");
+                var remotePayloadSourceFile = Path.Combine(outputFolder, "remotePayload.wxs");
+                var intermediateFolder = Path.Combine(outputFolder, "obj");
+                var bundleFile = Path.Combine(intermediateFolder, "out.exe");
+
+                var result = WixRunner.Execute(new[]
+                {
+                    "burn", "remotepayload",
+                    "-usecertificate",
+                    "-downloadUrl", "http://wixtoolset.org/{0}",
+                    Path.Combine(folder, ".Data", "Windows8.1-KB2937592-x86.msu"),
+                    "-o", outFile
+                });
+
+                result.AssertSuccess();
+
+                var elements = File.ReadAllLines(outFile);
+                elements = elements.Select(s => s.Replace("\"", "'")).ToArray();
+
+                WixAssert.CompareLineByLine(new[]
+                {
+                    @"<MsuPackage CacheId='904ADEA6AB675ACE16483138BF3F5850FD56ACB6E3A1108E2BA23632620C427C'>",
+                    @"  <MsuPackagePayload Name='Windows8.1-KB2937592-x86.msu' DownloadUrl='http://wixtoolset.org/{0}' CertificatePublicKey='A260A870BE1145ED71E2BB5AA19463A4FE9DCC41' CertificateThumbprint='108E2BA23632620C427C570B6D9DB51AC31387FE' Size='309544' />",
+                    @"</MsuPackage>"
+                }, elements);
+
+                // Append required attributes to build.
+                elements[0] = elements[0].Replace(">", " KB='KB2937592' DetectCondition='test'>");
+
+                var remotePayloadSourceText = "<Wix xmlns='http://wixtoolset.org/schemas/v4/wxs'>" +
+                    "  <Fragment>" +
+                    "    <PackageGroup Id='BundlePackages'>" +
+                    String.Join(Environment.NewLine, elements) +
+                    "    </PackageGroup>" +
+                    "  </Fragment>" +
+                    "</Wix>";
+
+                File.WriteAllText(remotePayloadSourceFile, remotePayloadSourceText);
+
+                result = WixRunner.Execute(new[]
+                {
+                    "build",
+                    Path.Combine(folder, "BundleWithPackageGroupRef", "Bundle.wxs"),
+                    remotePayloadSourceFile,
+                    "-bindpath", Path.Combine(folder, "SimpleBundle", "data"),
+                    "-bindpath", Path.Combine(folder, ".Data"),
+                    "-intermediateFolder", intermediateFolder,
+                     "-o", bundleFile
+                });
+
+                result.AssertSuccess();
+            }
+        }
+
+        [Fact(Skip = "Blocked by https://github.com/wixtoolset/issues/issues/5601 - Support RemotePayload for Payload elements")]
         public void CanGetRemotePayloadWithCertificate()
         {
             var folder = TestData.Get(@"TestData");
@@ -248,11 +325,15 @@ namespace WixToolsetTest.CoreIntegration
             {
                 var outputFolder = fs.GetFolder();
                 var outFile = Path.Combine(outputFolder, "out.xml");
+                var remotePayloadSourceFile = Path.Combine(outputFolder, "remotePayload.wxs");
+                var intermediateFolder = Path.Combine(outputFolder, "obj");
+                var bundleFile = Path.Combine(intermediateFolder, "out.exe");
 
                 var result = WixRunner.Execute(new[]
                 {
                     "burn", "remotepayload",
                     "-usecertificate",
+                    "-downloadUrl", "http://wixtoolset.org/{0}",
                     Path.Combine(folder, ".Data", "burn.exe"),
                     Path.Combine(folder, ".Data", "signed_cab1.cab"),
                     "-o", outFile
@@ -265,9 +346,38 @@ namespace WixToolsetTest.CoreIntegration
 
                 WixAssert.CompareLineByLine(new[]
                 {
-                    @"<ExePackagePayload Name='burn.exe' ProductName='Windows Installer XML Toolset' Description='WiX Toolset Bootstrapper' Hash='F6E722518AC3AB7E31C70099368D5770788C179AA23226110DCF07319B1E1964E246A1E8AE72E2CF23E0138AFC281BAFDE45969204405E114EB20C8195DA7E5E' Size='463360' Version='3.14.0.1703' />",
-                    @"<Payload Name='signed_cab1.cab' CertificatePublicKey='BBD1B48A37503767C71F455624967D406A5D66C3' CertificateThumbprint='DE13B4CE635E3F63AA2394E66F95C460267BC82F' Hash='D8D3842403710E1F6036A62543224855CADF546853933C2B17BA99D789D4347B36717687C022678A9D3DE749DFC1482DAAB92B997B62BB32A8A6828B9D04C414' Size='1585' />",
+                    @"<ExePackage>",
+                    @"  <ExePackagePayload Name='burn.exe' ProductName='Windows Installer XML Toolset' Description='WiX Toolset Bootstrapper' DownloadUrl='http://wixtoolset.org/{0}' Hash='F6E722518AC3AB7E31C70099368D5770788C179AA23226110DCF07319B1E1964E246A1E8AE72E2CF23E0138AFC281BAFDE45969204405E114EB20C8195DA7E5E' Size='463360' Version='3.14.0.1703' />",
+                    @"  <Payload Name='signed_cab1.cab' DownloadUrl='http://wixtoolset.org/{0}' CertificatePublicKey='BBD1B48A37503767C71F455624967D406A5D66C3' CertificateThumbprint='DE13B4CE635E3F63AA2394E66F95C460267BC82F' Size='1585' />",
+                    @"</ExePackage>",
                 }, elements);
+
+                elements[0] = elements[0].Replace(">", " Permanent='yes' DetectCondition='test'>");
+
+                var remotePayloadSourceText = "<Wix xmlns='http://wixtoolset.org/schemas/v4/wxs'>" +
+                    "  <Fragment>" +
+                    "    <PackageGroup Id='BundlePackages'>" +
+                    "      <ExePackage CacheId='xyz'>" +
+                    String.Join(Environment.NewLine, elements) +
+                    "      </ExePackage>" +
+                    "    </PackageGroup>" +
+                    "  </Fragment>" +
+                    "</Wix>";
+
+                File.WriteAllText(remotePayloadSourceFile, remotePayloadSourceText);
+
+                result = WixRunner.Execute(new[]
+                {
+                    "build",
+                    Path.Combine(folder, "BundleWithPackageGroupRef", "Bundle.wxs"),
+                    remotePayloadSourceFile,
+                    "-bindpath", Path.Combine(folder, "SimpleBundle", "data"),
+                    "-bindpath", Path.Combine(folder, ".Data"),
+                    "-intermediateFolder", intermediateFolder,
+                     "-o", bundleFile
+                });
+
+                result.AssertSuccess();
             }
         }
 
@@ -296,8 +406,10 @@ namespace WixToolsetTest.CoreIntegration
 
                 WixAssert.CompareLineByLine(new[]
                 {
-                    @"<ExePackagePayload Name='burn.exe' ProductName='Windows Installer XML Toolset' Description='WiX Toolset Bootstrapper' Hash='F6E722518AC3AB7E31C70099368D5770788C179AA23226110DCF07319B1E1964E246A1E8AE72E2CF23E0138AFC281BAFDE45969204405E114EB20C8195DA7E5E' Size='463360' Version='3.14.0.1703' />",
-                    @"<Payload Name='signed_cab1.cab' Hash='D8D3842403710E1F6036A62543224855CADF546853933C2B17BA99D789D4347B36717687C022678A9D3DE749DFC1482DAAB92B997B62BB32A8A6828B9D04C414' Size='1585' />",
+                    @"<ExePackage>",
+                    @"  <ExePackagePayload Name='burn.exe' ProductName='Windows Installer XML Toolset' Description='WiX Toolset Bootstrapper' Hash='F6E722518AC3AB7E31C70099368D5770788C179AA23226110DCF07319B1E1964E246A1E8AE72E2CF23E0138AFC281BAFDE45969204405E114EB20C8195DA7E5E' Size='463360' Version='3.14.0.1703' />",
+                    @"  <Payload Name='signed_cab1.cab' Hash='D8D3842403710E1F6036A62543224855CADF546853933C2B17BA99D789D4347B36717687C022678A9D3DE749DFC1482DAAB92B997B62BB32A8A6828B9D04C414' Size='1585' />",
+                    @"</ExePackage>",
                 }, elements);
             }
         }
@@ -319,6 +431,7 @@ namespace WixToolsetTest.CoreIntegration
                     "-du", "https://www.example.com/files/{0}",
                     Path.Combine(folder, ".Data", "burn.exe"),
                     Path.Combine(folder, "RemotePayload", "recurse", "*"),
+                    "-basepath", Path.Combine(folder, "RemotePayload", "recurse"),
                     "-basepath", folder,
                     "-bp", Path.Combine(folder, ".Data"),
                     "-o", outFile
@@ -331,10 +444,12 @@ namespace WixToolsetTest.CoreIntegration
 
                 WixAssert.CompareLineByLine(new[]
                 {
-                    @"<ExePackagePayload Name='burn.exe' ProductName='Windows Installer XML Toolset' Description='WiX Toolset Bootstrapper' DownloadUrl='https://www.example.com/files/burn.exe' Hash='F6E722518AC3AB7E31C70099368D5770788C179AA23226110DCF07319B1E1964E246A1E8AE72E2CF23E0138AFC281BAFDE45969204405E114EB20C8195DA7E5E' Size='463360' Version='3.14.0.1703' />",
-                    @"<Payload Name='a.dat' DownloadUrl='https://www.example.com/files/RemotePayload/recurse/a.dat' Hash='D13926E5CBE5ED8B46133F9199FAF2FF25B25981C67A31AE2BC3F6C20390FACBFADCD89BD22D3445D95B989C8EACFB1E68DB634BECB5C9624865BA453BCE362A' Size='16' />",
-                    @"<Payload Name='b.dat' DownloadUrl='https://www.example.com/files/RemotePayload/recurse/subfolder/b.dat' Hash='5F94707BC29ADFE3B9615E6753388707FD0B8F5FD9EEEC2B17E21E72F1635FF7D7A101E7D14F614E111F263CB9AC4D0940BE1247881A7844F226D6C400293D8E' Size='37' />",
-                    @"<Payload Name='c.dat' DownloadUrl='https://www.example.com/files/RemotePayload/recurse/subfolder/c.dat' Hash='97D6209A5571E05E4F72F9C6BF0987651FA03E63F971F9B53C2B3D798A666D9864F232D4E2D6442E47D9D72B282309B6EEFF4EE017B43B706FA92A0F5EF74734' Size='42' />",
+                    @"<ExePackage>",
+                    @"  <ExePackagePayload Name='burn.exe' ProductName='Windows Installer XML Toolset' Description='WiX Toolset Bootstrapper' DownloadUrl='https://www.example.com/files/{0}' Hash='F6E722518AC3AB7E31C70099368D5770788C179AA23226110DCF07319B1E1964E246A1E8AE72E2CF23E0138AFC281BAFDE45969204405E114EB20C8195DA7E5E' Size='463360' Version='3.14.0.1703' />",
+                    @"  <Payload Name='a.dat' DownloadUrl='https://www.example.com/files/{0}' Hash='D13926E5CBE5ED8B46133F9199FAF2FF25B25981C67A31AE2BC3F6C20390FACBFADCD89BD22D3445D95B989C8EACFB1E68DB634BECB5C9624865BA453BCE362A' Size='16' />",
+                    @"  <Payload Name='subfolder\b.dat' DownloadUrl='https://www.example.com/files/{0}' Hash='5F94707BC29ADFE3B9615E6753388707FD0B8F5FD9EEEC2B17E21E72F1635FF7D7A101E7D14F614E111F263CB9AC4D0940BE1247881A7844F226D6C400293D8E' Size='37' />",
+                    @"  <Payload Name='subfolder\c.dat' DownloadUrl='https://www.example.com/files/{0}' Hash='97D6209A5571E05E4F72F9C6BF0987651FA03E63F971F9B53C2B3D798A666D9864F232D4E2D6442E47D9D72B282309B6EEFF4EE017B43B706FA92A0F5EF74734' Size='42' />",
+                    @"</ExePackage>"
                 }, elements);
             }
         }
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/TestData/.Data/fakeba.dll b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/.Data/fakeba.dll
new file mode 100644
index 00000000..b3cf17d8
--- /dev/null
+++ b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/.Data/fakeba.dll
@@ -0,0 +1 @@
+This is a fake BA DLL
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/TestData/ExePackage/UseCertificateVerificationWithoutCacheId.wxs b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/ExePackage/UseCertificateVerificationWithoutCacheId.wxs
new file mode 100644
index 00000000..49306479
--- /dev/null
+++ b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/ExePackage/UseCertificateVerificationWithoutCacheId.wxs
@@ -0,0 +1,13 @@
+<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs">
+    <Bundle Name="BurnBundle" Version="1.0.0.0" Manufacturer="Example Corporation" UpgradeCode="B94478B1-E1F3-4700-9CE8-6AA090854AEC">
+        <BootstrapperApplication>
+            <BootstrapperApplicationDll SourceFile="fakeba.dll" />
+        </BootstrapperApplication>
+        
+        <Chain>
+            <ExePackage DetectCondition="DetectedTheMsu" UninstallArguments="-uninstall">
+              <ExePackagePayload Name='foo.exe' DownloadUrl='http://wixtoolset.org' CertificatePublicKey="abc" CertificateThumbprint="123" Size='10' />
+            </ExePackage>
+        </Chain>
+    </Bundle>
+</Wix>
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/BundleUsingCertificateVerification.wxs b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/BundleUsingCertificateVerification.wxs
new file mode 100644
index 00000000..dcae2cf8
--- /dev/null
+++ b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/BundleUsingCertificateVerification.wxs
@@ -0,0 +1,13 @@
+<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs">
+    <Bundle Name="BurnBundle" Version="1.0.0.0" Manufacturer="Example Corporation" UpgradeCode="B94478B1-E1F3-4700-9CE8-6AA090854AEC">
+        <BootstrapperApplication>
+            <BootstrapperApplicationDll SourceFile="fakeba.dll" />
+        </BootstrapperApplication>
+        
+        <Chain>
+            <MsuPackage DetectCondition="DetectedTheMsu" KB="xyz" CacheId="8cf75b99-13c0-4184-82ce-dbde45dcd55a">
+              <MsuPackagePayload Name='Windows8.1-KB2937592-x86.msu' DownloadUrl='http://wixtoolset.org' CertificatePublicKey="abc" CertificateThumbprint="123" Size='309544' />
+            </MsuPackage>
+        </Chain>
+    </Bundle>
+</Wix>
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/BundleUsingCertificateVerificationWithoutCacheId.wxs b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/BundleUsingCertificateVerificationWithoutCacheId.wxs
new file mode 100644
index 00000000..f9282e37
--- /dev/null
+++ b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/BundleUsingCertificateVerificationWithoutCacheId.wxs
@@ -0,0 +1,13 @@
+<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs">
+    <Bundle Name="BurnBundle" Version="1.0.0.0" Manufacturer="Example Corporation" UpgradeCode="B94478B1-E1F3-4700-9CE8-6AA090854AEC">
+        <BootstrapperApplication>
+            <BootstrapperApplicationDll SourceFile="fakeba.dll" />
+        </BootstrapperApplication>
+        
+        <Chain>
+            <MsuPackage DetectCondition="DetectedTheMsu" KB="xyz" >
+              <MsuPackagePayload Name='Windows8.1-KB2937592-x86.msu' DownloadUrl='http://wixtoolset.org' CertificatePublicKey="abc" CertificateThumbprint="123" Size='309544' />
+            </MsuPackage>
+        </Chain>
+    </Bundle>
+</Wix>
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/data/fakeba.dll b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/data/fakeba.dll
deleted file mode 100644
index b3cf17d8..00000000
--- a/src/wix/test/WixToolsetTest.CoreIntegration/TestData/MsuPackage/data/fakeba.dll
+++ /dev/null
@@ -1 +0,0 @@
-This is a fake BA DLL
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/TestData/PackagePayload/SpecifiedCertificate.wxs b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/PackagePayload/SpecifiedCertificate.wxs
index b5dec9a2..bee56215 100644
--- a/src/wix/test/WixToolsetTest.CoreIntegration/TestData/PackagePayload/SpecifiedCertificate.wxs
+++ b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/PackagePayload/SpecifiedCertificate.wxs
@@ -3,7 +3,7 @@
     <Fragment>
         <PackageGroup Id="BundlePackages">
             <ExePackage Id="SpecifiedSourceFileAndHash" Permanent="yes" DetectCondition="none">
-                <ExePackagePayload CertificatePublicKey="abcd" CertificateThumbprint="abcd" Hash="1234" DownloadUrl="https://example.com/" Name="fake.exe" Size="100" />
+                <ExePackagePayload CertificatePublicKey="abcd" CertificateThumbprint="abcd" DownloadUrl="https://example.com/" Name="fake.exe" Size="100" />
             </ExePackage>
         </PackageGroup>
     </Fragment>
diff --git a/src/wix/test/WixToolsetTest.CoreIntegration/TestData/PackagePayload/SpecifiedCertificatePublicKeyWithoutThumbprint.wxs b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/PackagePayload/SpecifiedCertificatePublicKeyWithoutThumbprint.wxs
index aa915a31..3694cd72 100644
--- a/src/wix/test/WixToolsetTest.CoreIntegration/TestData/PackagePayload/SpecifiedCertificatePublicKeyWithoutThumbprint.wxs
+++ b/src/wix/test/WixToolsetTest.CoreIntegration/TestData/PackagePayload/SpecifiedCertificatePublicKeyWithoutThumbprint.wxs
@@ -3,7 +3,7 @@
     <Fragment>
         <PackageGroup Id="BundlePackages">
             <ExePackage Id="SpecifiedSourceFileAndHash" Permanent="yes" DetectCondition="none">
-                <ExePackagePayload CertificatePublicKey="abcd" Hash="123" DownloadUrl="https://example.com/" Name="fake.exe" Size="100" />
+                <ExePackagePayload CertificatePublicKey="abcd" DownloadUrl="https://example.com/" Name="fake.exe" Size="100" />
             </ExePackage>
         </PackageGroup>
     </Fragment>
-- 
cgit v1.2.3-55-g6feb